cert-manager-webhook-example/charts/cert-manager-webhook-dnsimple/templates/rbac.yaml

{{- $RBACAPIVersion := ternary "rbac.authorization.k8s.io/v1" "rbac.authorization.k8s.io/v1beta1" (.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1") -}}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
---
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
apiVersion: {{ $RBACAPIVersion }}
kind: RoleBinding
metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}:webhook-authentication-reader
  namespace: kube-system
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: {{ include "dnsimple-webhook.fullname" . }}
    namespace: {{ .Release.Namespace }}
---
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: {{ $RBACAPIVersion }}
kind: ClusterRoleBinding
metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}:auth-delegator
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: {{ include "dnsimple-webhook.fullname" . }}
    namespace: {{ .Release.Namespace }}
---
# Grant cert-manager permission to validate using our apiserver
apiVersion: {{ $RBACAPIVersion }}
kind: ClusterRole
metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
rules:
  - apiGroups:
      - {{ .Values.groupName }}
    resources:
      - '*'
    verbs:
      - 'create'
---
apiVersion: {{ $RBACAPIVersion }}
kind: ClusterRoleBinding
metadata:
  name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: {{ .Values.certManager.serviceAccountName }}
    namespace: {{ .Values.certManager.namespace }}